Is it a HIPAA violation to email patient names?

Is it a HIPAA violation to email patient names? 

Emailing patient names may or may not constitute a HIPAA violation, depending on the circumstances. If names are not linked to protected health information (PHI), HIPAA does not apply. However, when names are part of a designated record set containing health information, or the email includes health-related content, HIPAA compliance is required.

HIPAA email rules and when compliance is required

HIPAA compliance is necessary when patient names are linked to PHI and transmitted by a covered entity or business associate. Covered entities include healthcare providers, health plans, and clearinghouses that electronically transmit identifiable health information in transactions covered under HIPAA regulations.

Patient names not tied to health data such as those in separate databases for marketing purposes are not considered PHI. However, if a name is part of a designated record set that includes details about a patient’s condition, treatment, or payment, it qualifies as PHI and is protected under HIPAA.

For example, a standalone list of patient names emailed for a community event might not be a violation, but emailing those names with information about treatments or appointments could trigger HIPAA concerns.

Permissible circumstances for emailing patient names

Emails containing patient names can be sent in compliance with HIPAA under specific circumstances, such as:

• For treatment, payment, or healthcare operations.
• To family members notifying them of a patient’s condition or death.
• As required by law or requested by regulatory bodies like the U.S. Department of Health and Human Services (HHS).

When emailing names that qualify as PHI, safeguards such as encryption must be in place. Exceptions exist when patients explicitly authorize unencrypted communication, but even then, covered entities must document the authorization process.

Read more: What is encryption?

Common HIPAA violations involving email

Many email-related HIPAA violations occur due to human error or insufficient safeguards. Notable examples include:

• Eastern Connecticut Health Network (July 2023): An employee failed to use the BCC function when sending an email, exposing the PHI of 912 patients to all recipients.
• ReDiscover Mental Health (May 2023): An unencrypted email containing PHI for 877 individuals was sent, violating HIPAA’s security rule.
• Mount Vernon Dental Smiles (January 2024): PHI of 1,074 patients was mistakenly emailed to an unauthorized individual.
• Yardley Dermatology Associates (March 2023): A spreadsheet with PHI for 523 individuals was attached to an email sent to the wrong recipients.

These incidents prove the risks of failing to secure email communications and indicate the need for HIPAA compliant email and processes.

Related: What is the role of BCC in HIPAA compliant email communication? 

How to avoid HIPAA email violations

Organizations can prevent email-related HIPAA violations by:

• Identifying when names qualify as PHI: Train staff to recognize when names are tied to health data and require safeguards.
• Using HIPAA compliant email services: Ensure email platforms include encryption, access controls, and audit logs to protect PHI.
• Implementing clear policies: Define procedures for emailing patient information and when exceptions, such as patient consent, apply.
• Providing ongoing training: Educate employees about proper email use, phishing risks, and compliance best practices.
• Conducting risk assessments: Regularly evaluate email processes to identify vulnerabilities and strengthen safeguards.

FAQs 

Is emailing patient names always a HIPAA violation?

No. HIPAA applies only if names are linked to health information or are part of a record set containing PHI.

What is PHI under HIPAA?

Protected Health Information (PHI) includes any individually identifiable health information related to a patient’s condition, treatment, or payment.

Are encrypted emails required for sending PHI?

Yes, encryption protects PHI in transit and is required unless the patient authorizes unencrypted communication.

Can a patient withdraw consent for unencrypted emails?

Yes, patients can withdraw consent in writing at any time. This must be documented and respected moving forward.